For an app (Android & iOS) project, registration is needed, before being able to login. This is done by scanning a QR code containing a one-time password on the associated webpage, using a camera feature in the app. The flow on web is: see info about app and app store link -> show QR -> set pin code -> confirm.
I want to create a mechanism, to avoid someone from opening the registration flow and then leaving his desk (e.g. going for a coffee at the office) for a while. Otherwise some 'attacker' could complete the QR step, and when the original user returns to his desk, he will set a pin and confirm. Possibly not realising that there was ever a QR step. Even though the 'attacker' will not know the PIN, the wrong device will be registered. So the original user will not be able to use his app.
Currently there is a time limit of 1 minute. But the QR can be reloaded with a new OTP, so it does not have much effect.
Aucun commentaire:
Enregistrer un commentaire